ak0900 enterprise risk management...another critical component of ih’s erm program is its policy...

Administrative Policy Manual

Code: AK Quality/Risk Management

AK0900 – ENTERPRISE RISK MANAGEMENT

Policy Sponsor: VP Support Services & Chief Financial Officer 1 of 2

Policy Steward: Corporate Director, Privacy, Policy & Risk Management

Date Approved: March 2020 Date(s) Reviewed-r/Revised-R:

This is an Interior Health CONTROLLED document. A copy of this document in paper form is not controlled and should be checked against the electronic file version to ensure accuracy

1.0 PURPOSE

To establish and maintain an effective and efficient organization-wide Enterprise Risk Management Framework to support Interior Health (IH) in achieving its Mission.

To provide direction on the requirements and responsibilities to integrate and apply the ERM Framework within all IH operations.

2.0 DEFINITIONS

TERM DEFINITION

Enterprise Risk Management or

ERM

A continuous, systematic and proactive approach to support an organization in achieving its objectives by considering the Risks at all levels in the organization and then managing the combined impact of those Risks.

Framework Interior Health Enterprise Risk Management Framework: Principles, Governance & Process (Appendix A)

Risk

Anything that adversely affects the achievement of objectives measured in terms of its likelihood of occurrence and the consequences of its occurrence.

3.0 POLICY

IH will actively and systematically promote and instill ERM principles and processes in all

planning and decision-making activities and will ensure relevant and appropriate tools, support and training are available.

The risk management office (RMO), under the direction of the Vice President, Support Services & Chief Financial Officer and the Strategy and Risk Management Committee (SRMC), will provide leadership and guidance for ERM.

4.0 PROCEDURE

4.1 This policy applies to all IH employees and medical staff. 4.2 All IH employees and medical staff are responsible for recognizing the potential risks within

the scope of their own work and expected to work with management and the RMO to document the risk and to establish appropriate processes and risk mitigation activities to address the risk.




Policy Sponsor: VP Support Services & Chief Financial Officer 2 of 2

Policy Steward: Corporate Director, Privacy, Policy & Risk Management

Date Approved: March 2020 Date(s) Reviewed-r/Revised-R:


4.3 The Framework sets out IH’s organization-wide approach to ERM and describes the

principles of the ERM program including the process and tools for identifying, assessing, mitigating and reporting on enterprise-wide Risks. The Framework also confirms the commitment to regularly improve the ERM program.

5.0 REFERENCES

IH Board of Director Manual s 3.11

International Organization for Standardization Standard (ISO Standard) ISO 31000:2018 Risk Management Guidelines.

Province of British Columbia’s Risk Management Guideline for the Public Sector.

https://www.interiorhealth.ca/AboutUs/Policies/Documents/3.11%20Risk%20Management.pdf

https://www.iso.org/standard/65694.html


https://www2.gov.bc.ca/gov/content/governments/services-for-government/internal-corporate-services/risk-management





Appendix A

Interior Health Enterprise Risk Management Framework

Principles, Governance & Process

March 2020

E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k

1

TABLE OF CONTENTS

ITEM Page

1.0 Overview …………………………………………………………………………….. 2

2.0 Principles …………………………………………………………………………….. 3

3.0 Governance …………………………………………………………………………

3.1 Alignment with Other Processes

3.2 ERM Guided by Policy

3.3 Roles and Responsibilities

3.4 Key Activities

3.5 Continuous Improvement

4

5

6

7

9

10

4.0 Process ………………………………………………………………………………..

4.1 Key Features

4.2 Detailed ERM Process

11

11

12

Appendices

A. Risk Register Template

B. Risk Assessment Matrix

13

14


2

Purpose This framework document (Framework) describes Interior Health’s (IH) approach to managing

risk across the organization through a structured risk management program to assist IH in

achieving its Mission. The Framework applies to all employees and medical staff.

1.0 Overview IH operates in a dynamic and complex environment that faces

many areas of risk and uncertainty. The term “risk” describes the

possibility that events will occur and either positively or

negatively affect IH.

The term Enterprise Risk Management (ERM) describes a

continuous, coordinated and proactive approach to manage and

respond to risk across all parts of the organization, at all levels,

from planning to service delivery.

IH’s ERM program follows the internationally recognized

principles and standards set out by the International

Organization for Standardization (ISO) and the Province of British

Columbia’s Risk Management Guideline for the Public Sector. IH’s

ERM program does not operate in isolation and aligns with other

IH-wide processes.

This Framework describes the three components of IH’s ERM

program: the principles for managing risk; the governance of the

program and the process for identifying, assessing, monitoring

and reporting risk information.

“. . . hospitals and other

healthcare systems are

expanding their risk

management programs

from ones that are

primarily reactive and

promote patient safety

and prevent legal

exposure, to ones that

are increasingly

proactive and view risk

through the much

broader lens of the

entire healthcare

ecosystem.”

Source: “What is Risk Management in Healthcare”, NEJM Group, a division of the Massachusetts Medical Society.





https://catalyst.nejm.org/what-is-risk-management-in-healthcare/






3

2.0 PRINCIPLES Every person at IH acts as a risk manager responsible for identifying and managing risks that may

prevent IH from achieving its Mission. The following principles are the foundation for IH’s ERM

program: (Source: ISO 31000:2018 Risk Management - Guidelines)

IH’s Risk Management Office (RMO) continually evaluates the ERM program to ensure it

continues to reflect these principles and recommends adjustments if portions of the program no

longer add value and should be discontinued or redesigned based on IH’s organizational culture

and context.

•Create and protect value by identifying and managing internal and external factors that may affect its Mission.

Creates Value

•Integrate ERM within the organization's other planning activities & processes.

Integral Part of Organizational Processes

•Helps decision-makers make informed choices, prioritize and distinguish among alternative courses of action.

Part Of Decision Making

•Explicitly account for uncertainty, the nature of that uncertainty and how to address uncertainty.

Explicitly Addresses Uncertainty

•A consistent and structured approach contributes to efficiency and to comparable and reliable results.

Systematic, Structured & Timely

•Obtain the best available information in order to have a correct understanding of any risk.

Based on Best Available Information

•Adjust the ERM process to align with IH's needs.Tailored

•Recognize that human and cultural characteristics influence a stakeholder's view.

Accounts For Human & Cultural Factors

•Appropriate and timely involvement of stakeholders ensures ERM remains relevant and up-to-date.

Transparent & inclusive

•Continually sense and respond to change resulting from external and internal events.

Dynamic, Iterative & Responsive to Change

•Develop and implement strategies to improve ERM maturity alongside all other aspects of the organization.

Continual Improvement



4

3.0 GOVERNANCE

The design and structure of IH’s ERM program takes into consideration its culture, context, any

legal and regulatory requirements and, most importantly, its obligations to clients, employees,

patients and partners. The effectiveness of the ERM program depends on successfully

embedding it into the decision-making process for all IH activities. Integrating considerations of

risk helps ensure IH stakeholders account for risks and the activities in place to manage those

risks when planning operations and activities to help achieve IH’s Mission. This integration of risk

approach helps overcome the perception that risk management is the subject of an isolated

exercise concerned only with compiling and managing a list of risks.

Governance of the ERM program includes:

aligning the program with other organization-wide processes;

implementing ERM principles via an organization-wide policy;

establishing a governance structure with clearly defined roles and responsibilities;

outlining the program’s key activities; and

continuing to improve the program.


5

3.1 Alignment with Other IH Processes One of the Board’s risk management mandates is to ensure that management has systems and

programs in place to manage principal financial and non-financial risks (Board Risk Management

Policy Section 1.5). The ERM program is one of the many organization-wide processes that occurs

regularly as shown in the IH Annual Planning Cycle below. (Source: Courtesy of IH Health Systems Planning

Department).

Review & Refresh ERM risk registers with Risk Owners

Portfolio Work Plans and ERM risk

registers inform BMP

SRMC & SET reviews Key Risk

Apr

Mayy

June

Sept

**Aug

July

** Dec

Nov

Oct

Implement (Implement)

(Q1)

Begin Scan

(Evaluate / Assess) (Q2)

Planning (Assess / Plan)

(Q3)

Finalize, adopt plans

(Plan) (Q4)

Mar

Febb

Jan

SET Strategy Day

Annual Service Plan Report to MOH*

Portfolio Work Plans (Oct – Dec)

MOH Budget MOH Service Plan

Draft Mandate Letter and Bilateral

Agreement Prelim. Funding Letter

Internal consultations

EPM Objectives

Draft IH Service Plan & Detailed Plan

SET Strategic Working Day

Q4 Update*

Service Plan to MOH ERM Report to

Board

Launch planning process

Environmental Scan

(Including ERM)

Review & Refresh ERM risk registers with Risk Owners

SRMC & SET review Key Risks

Portfolio Workplans and ERM Risk

Register Inform BMP

** ERM risk register informs and is informed by, Portfolio Workplans and Environmental. Scans.

LEGEND

BMP: Budget Management Process EPM: Employee Performance Management ERM: Enterprise Risk Management MOH: Ministry of Health

SET: Senior Executive Team * From previous fiscal year




6

3.2 ERM Guided by Policy Another critical component of IH’s ERM program is its policy document. IH’s ERM Policy, AK0900

– Enterprise Risk Management sets forth a common approach to addressing risk to support

achieving its Mission. The benefits of the policy include:

Advancing the objective of integrating Enterprise-Wide Risk Management into IH

operations.

Establishing clearly defined, documented risk management processes connected to other

enterprise-wide processes.

Providing IH employees and medical staff easier access and reference to the ERM

processes via the Insidenet Policy page.

Ensuring the policy receives periodic review (every 3 years per the IH Policy Development

Guide).

https://www.interiorhealth.ca/AboutUs/Policies/Documents/Enterprise%20Risk%20Management.pdf

https://www.interiorhealth.ca/AboutUs/Policies/Documents/Enterprise%20Risk%20Management.pdf


7

3.3 Roles & Responsibilities An effective ERM program requires clearly defined roles and responsibilities. The major

stakeholders for the ERM program include the Board of Directors, the Senior Executive Team,

Internal Audit, the Strategy and Risk Management Committee, Vice President Leadership Teams

and all IH employees and medical staff. Responsibility for the ERM program lies across the

organization. The specific responsibilities of each stakeholder are set out below.

Board of Directors (Board)

Provide overall oversight of the ERM program, delegating to Board Committees all or

certain oversight responsibilities as required.

Determine strategic approach to risk & set risk appetite.

Understand the most significant/key risks.

Monitor activity, through receiving reports, in order to support management with budgets

and decision making to manage risks properly and to advocate within the community and the

Ministry for other resources to manage identified risks.

Senior Executive Team (SET)

Determine & provide resources to implement and maintain the ERM program.

Review significant/key risks.

Define the roles of management and management committees.

Monitor the operation of the ERM program and provide the Board with an annual update

that includes: (i) identifying key risks and mitigation activities; (ii) changes to previously

identified key risks and mitigation activities and (iii) recommend any changes in policy or

process needed to achieve the overall objectives of the ERM program.

Internal Audit

As part of its mandate to audit current and developing control systems, gather

information on all aspects of the ERM and how it is functioning across the organization.

Provide the President and Chief Executive Officer, the SET and the Board with an

independent assessment of the strengths and weaknesses of the ERM program and

advise on where changes in either policy or process may be desirable.


8

Strategy & Risk Management Committee (SRMC)

Perform the Risk Committee function for the ERM program.

Review the appropriateness of items on the enterprise risk register, monitor risk

mitigation plans and their effectiveness and recommend additions/deletions of risk items.

Assign risk owners for significant/key risks.

Review key risks and ensure mitigation responses are consistent with the risk appetite.

Recommends additions and deletions of key risks to SET.

Report monthly risk alerts to SET.

VP Leadership Teams (VPLT)

Identify, assess, monitor and report on risk events in their areas of responsibility.

Monitor and report changes to existing risk events & risk mitigations.

Risk Owner (Senior IH leaders with knowledge of the key risks)

Oversee risk mitigation activities including updating the status and completion of the

activities.

Coordinates efforts with other IH employees and medical staff to complete risk mitigation

activities.

Communicate the status of risk mitigation activities to SRMC.

Risk Management Office (RMO)

Educate stakeholders on ERM.

Develop, monitor and revise the administrative procedures for the ERM program.

Liaise/coordinate with risk owners to obtain enterprise-wide view of risks.

Prepare updates, at least once per year, to the Board on risk management activities as

well as updates if any significant risk changes or issues arise.

Review the ERM program and recommend changes as appropriate.

Employees and Medical Staff

Apply risk management within the scope of their duties and responsibilities.

Report risks with causes, impacts, or mitigations beyond their scope of responsibility or available resources to their manager.

Integrate sound risk management planning and process into their business processes.


9

3.4 Key Activities A clearly understood ERM program requires consistent, recurring activities as well as a regular

reporting schedule to ensure all stakeholders are aware of enterprise-wide risks. IH

management is committed to the following recurring activities relating to the ERM program:

The value of an organization’s ERM program also lies in conducting regular, proactive monitoring

and environmental scans to capture internal and external events that may affect its ability to

achieve its Mission. Proactive activities relating to IH’s ERM program include:

•Review Environmental Scan to identify weaknesses or challenges that pose a risk.

AUGUST

•Review & update risk register with risk owners.

• VP Workplan Process Begins

• Update workplans to include risk mitigation activities where appropriate.

NOVEMBER

• Consider any new risks & remove risks from enterprise risk register that are no longer relevant.

•Refresh enterprise risk register by reviewing the likelihood & consequence rating for each risk.

JANUARY

•Identify Key Enterprise Risks.

• Based on analysis of key risks across all VPLT risk registers.FEBRUARY

• Annual Report to the Board

• Key Risks (Current & Trending) and Risk Mitigation Strategies

JUNE

• Provincial Risk Management Meetings.

•Attendees include all BC health authorities and Provincial healthcare insurer.

•Discuss current & trending healthcare risks

•Report relevant items to SRMC.

BI-MONTHLY

• Assigned risk owners update SRMC on Risk Mitigation Activities of assigned Key Risk Events.

•RMO regularly reviews SRMC agenda items (via briefing notes) for emerging risks to monitor and/or present to SRMC as an enterprise risk event.

MONTHLY

•Meet with VPLTs.

•Discuss status of Risk Events & Risk Mitigation Activities within portfolio risk registers.

QUARTERLY


10

3.5 Continuous Improvement The RMO monitors and reviews the ERM program and, in collaboration and consultation with

SRMC and SET, decides on improvements to the program. The objective for continual

improvement is to lead to improvements in IH's management of risk and its risk management

culture.

Various triggers for continuous improvement include:

At minimum every three years and as required, review the ERM policy to ensure it

reflects current ERM best practices.

Yearly review of risk domains and categories to ensure alignment with IH’s Mission and to

reflect changes in the external environment.

Continue looking for opportunities to embed the risk management culture by regularly

reviewing and updating as necessary:

o Reports to stakeholders (form of reports, frequency, etc.).

o Technology to automate the ERM process to support ease of use and increase

engagement.

o Methods to measure risk management progress against, and deviation from, the ERM

principles.

o Report on progress with the ERM program and how well employees are following

the ERM policy.

o Improvements to the ERM Framework.


11

4.0 PROCESS IH’s ERM process is an iterative one refreshed annually and as needed, should there be material

changes in IH’s operating or business environment. The figure below describes the four

components and the continuous and iterative nature of the process.

4.1 Key Features

•Identify risks that could prevent IH from achieving its Mission.

IDENTIFY

•Assess the likelihood and consequences of the risks occurring.ASSESS

•Determine and evaluate controls or risk mitigation measures to manage the risks.MANAGE

• Monitor and report on key organization-wide risks and risk mitigation activities.

MONITOR & REPORT

The ERM Process is an iterative and

continuous

4-step process


12

4.2 Detailed ERM Process Each step of the ERM process requires completing specific actions and recording the results of

these actions in a central, accessible document. A risk register is the central document that

records the information captured during the ERM process (Appendix A). Risks do not remain

static and a risk register is a living document, subject to review at regular intervals. The detailed

actions within each step of the ERM process include:

•Recognize & describe risk events (short to long term & emerging risks).

•Identification techniques: review incident reports (e.g. Patient Safety Learning System events); review risks identified in briefing notes submitted to SRMC.

•Record identified risks in the risk register.

IDENTIFY

•For each identified risk event, determine a risk rating by: (a) determining the likelihood of the risk event occurring: and (b) the consequences resulting from the risk event occurring using the Risk Assessment Matrix (Appendix B). The product (likelihood x consequence) of these two variables is the risk rating.

•Record the risk rating in the risk register.

ASSESS

•Establish and implement risk mitigation activities to:

•Accept the risk event;

•Avoid the risk event by not starting or ceasing activities that cause it;

•Mitigate the consequences or likelihood of the risk event; or

•Transfer all or part of the risk event to another party (e.g. via contracts or insurance).

•List all risk mitigation activities for each identified risk event on the risk register.

MANAGE

•Monitor and regularly report on the risk mitigation activities of each risk event in the risk register.

•Assigned risk owners provide regular updates to SRMC on Risk Mitigation Activities of key risks.

•RMO presents Annual Report to Board on Key Risks (Current & Trending) and Risk Mitigation Activities

MONITOR & REPORT

13

Appendix A: Risk Register (Template)

RISK CATEGORY

RISK EVENT CAUSE RISK

CONTROLS INHERENT RISK RATING

(See Risk Assessment Matrix) RESIDUAL RISK RATING

(See Risk Assessment Matrix)

EFFECTIVENESS OF RISK

CONTROLS RISK TOLERANCE

RISK LEADER

FURTHER ACTION

COMPLETION DATE

Identifies the risk category

most applicable to

the risk event.

What is it that you are

working to avoid or

reduce the likelihood or

impact of occurring? Risks are

future events that could stop

you from achieving IH’s

Mission

What are the triggers, sources or circumstances that,

acting alone or together, increases the likelihood that

the Risk Event occurs? There are

usually multiple causes leading to a

Risk Event.

What are you doing

now or plan to do in the

future to reduce the impact of

the event?

LIKELIHOOD CONSEQUENCE INHERENT

RISK RATING

LIKELIHOOD CONSEQUENCE RESIDUAL

RISK RATING

Controlled, In Progress,

Attention Required

Will you ACCEPT, AVOID, MITIGATE or TRANSER the risk?

14

Appendix B: Risk Assessment Matrix

LIK

ELIH

OO

D

5 Almost Certain

80% - 99% probability occurring next 12 months.

Expected to occur

Low

5

Medium

10

High 15

Extreme

20

Extreme

25

4 Likely


Will occur in most circumstances.

Low

4

Medium

8

High 12

High 16

Extreme

20

3 Possible


It might occur at some time.

Low

3

Medium

6

Medium

9

High 12

High 15

2 Unlikely

11% - 39% probability occurring next 12 months

Low

2

Low

4

Medium

6

Medium

8

Medium

10

1 Almost certain not to happen


Occur only in exceptional circumstances.

Low

1

Low

2

Low

3

Low

4

Low

5

RISK ASSESSMENT MATRIX

1 Insignificant

Minimal impact on achieving Mission.

Outcomes within stated risk tolerances.

Consequences dealt with by routine operations.

Negligible monetary loss.

No community response.

No media interest.

2 Minor

Minor impact on Mission.

Outcomes within stated risk tolerances.

Consequences threaten efficiency or effectiveness of some services.

Monetary loss managed within operating or project budget.

Isolated community complaints.

Local short-term media interest.

3 Moderate

Moderate impact on Mission.

Outcomes may or may not remain within risk tolerances.

Consequences would require significant review or change ways of operating.

Monetary loss may require suspending some services.

Moderate environmental implications.

Some community complaints.

Local long-term media interest.

4 Major

Major impact on Mission.

Consequences threaten effective provision of services.

Senior management intervention required.

Monetary loss would require cancellation of some services.

High environmental implications.

Negative community complaints.

Major loss of credibility.

National short-term media interest.

5 Catastrophic

Catastrophic impact on Mission.

Consequences threaten key services causing major problems for clients.

Monetary loss would have extreme consequences.

Far reaching environmental implications.

Catastrophic loss of reputation.

Parliamentary concerns.

National long-term media interest.

CONSEQUENCE

15

RISK RATING (LIKELIHOOD X CONSEQUENCE)

ACTION REQUIRED

Extreme (20-25)

Mitigate, Transfer or Avoid.

Immediate attention required. Action plan developed by risk owner.

High (12-16)

Mitigate or Transfer.

Action plan for mitigation or transfer developed by risk owner.

Medium (6-10)

Accept or Mitigate.

Action plan for mitigation developed by risk owner.

Low (0-5)

Accept and monitor.

No further action required.